Network firewalls provide important safeguards for any network connected to the Internet. Firewalls are not simple applications that can be activated “out of the box.” A firewall must be configured and managed to realize an important security policy for the particular needs of a given company or entity. It has been said that the most important factor affecting the security of a firewall is the firewall configuration A firewall is a network gateway that filters packets and separates a proprietary corporate network, such as an Intranet, from a public network, such as the Internet. Most of today's firewalls are configured by means of a rule-base or firewall configuration file. The rule-base instructs the firewall which inbound sessions (packets) to permit to pass, and which should be blocked. Similarly, the rule-base specifies which outbound sessions (packets) are permitted. The firewall administrator needs to implement the high-level corporate security policy using this low-level rule-base.
The firewall's configuration interface typically allows the security administrator to define various host-groups (ranges of IP addresses) and service-groups (groups of protocols and corresponding port-numbers at the hosts that form the endpoints). A single rule typically includes a source, a destination, a service-group and an appropriate action. The source and destination are host-groups, and the action is generally either an indication to “pass” or “drop” the packets of the corresponding session
In many firewalls, the rule-base is order sensitive. In other words, the firewall checks if the first rule in the rule-base applies to a new session. If the first rule applies, the packets are either passed or dropped according to the action specified by the first rule. Otherwise, the firewall checks if the second rule applies, and so forth until a rule applies. This scheme makes it difficult to understand what policy a firewall configuration is actually implementing, since the user needs to comprehend the effects of the whole rule-base, including any inter-play between subsequent rules.
Analyzing a firewall configuration is much worse for a larger company, whose rule-base may include thousands of rules, and whose firewall administration team includes many staff members, possibly in different locations.
As apparent from the above-described deficiencies with conventional techniques for administering a firewall, a need exists for analyzing and auditing firewall configurations.
The prior work of [Mayer et al; 2000, Mayer et al; 2005] and [Wool; 2001] teaches how to analyze Firewall Configurations and produce HTML-based Firewall Analyzer Reports. However, the said Reports produced by the methods of [Mayer et al; 2000, Mayer et al; 2005] are voluminous, and do not identify or rate the risks present within the Firewall Configuration. In the current state of the art, a Firewall administrator or auditor needs to navigate through the Firewall Analyzer Report, and use his or her expertise to identify any Configuration mistakes or badly written rules. The current invention shows how to automatically augment the Report with a Risk Assessment.